Api security Checklist
Review client-side protection options after server-side protection
Yüklə 2,4 Mb. Pdf görüntüsü
|
|
Review client-side protection options after server-side protection:
focus first on protecting back-end APIs. We know that client-side code and end-user devices will always be prone to tampering and reverse engineering by attackers. Given enough time, an attacker can circumvent anti-tampering and anti-debugging mechanisms, bypass root or jailbreak checks, potentially defeat app authentication, and parse obfuscated code. Mature organizations are aware of this cat-and-mouse game and bolster back-end security before considering front-end protection options. Some client-side protections can be obtained for low or no cost, such as in the case of Android Studio obfuscation with ProGuard . However, obfuscation by itself will not prevent reverse engineering, it just slows down the process for attackers. System library calls can’t be obfuscated since it makes the code unrunnable. As a result, organizations that pursue the path of client-side code protection must also pair obfuscation with anti-debugging and anti-tampering techniques. Logging and monitoring The top 3 recommendations for logging and monitoring include: 1. Define all the infrastructure, application, and API elements that must be logged 2. Factor in non-security use cases such as API performance and uptime measures 3. Allocate enough storage for API telemetry, which will lead you to cloud Logging and monitoring are not specific to just API security, but it is oftentimes an afterthought for even general IT processes. Every interaction that users and machines have with your API tells a story. These story elements include authentication successes and failures, rates of requests, time of day, the location from where requests originate, data stores accessed, and much more. It should be a question of “what should we log?” but rather “how do we extract meaningful signals from logged data?” All of the telemetry you collect ultimately informs detection, incident response, and runtime protection. It is also useful for Salt I API Security Best Practices I 12 constructing baselines of what constitutes “normal” so that any outlier events can be quickly identified and resolved. Baselines are useful for analyzing general performance or availability problems but also security issues. Best practices for logging and monitoring include: 1. Yüklə 2,4 Mb. Dostları ilə paylaş:
|